Have You Backed Up Your Gmail?

On April 13, 2011, Deb Fallows tried logging into her Gmail and found that she couldn’t get access. At about the same time, her husband James was checking his email and found a message purporting to be from her, followed by an expanding flow of concerned responses from friends, all about emails they had received about being “mugged in Madrid.” Someone had obviously taken over her account and was using it as a spamming tool.

Deb then turned to Google for help. Not surprisingly, there was no human being to talk to at Google. Google [GOOG] deals with much matters in an automated fashion. How could they do otherwise? With hundreds of millions of active Gmail accounts to manage, operating in 54 languages worldwide, the relative handful of human beings on Gmail’s support staff could not even pretend to offer live one-on-one service. Yahoo [YHOO], Microsoft [MSFT], Facebook, Skype, eBay [EBAY], and the other big operators of “cloud”-based systems are in the same position.

Deb filled out a password-reset form. Doing so prompted Google to send reset instructions to the mobile-phone number or alternate e‑mail address listed as “recovery options” for Deb’s account. "Unfortunately" (a word, we will keep hearing), her alternate e‑mail account, with AOL, was no longer active.

So then Deb submitted a form reporting that an account had been taken over or compromised. She had sent in that form within 30 minutes of discovering the problem.

Things seemed to be improving when she received instructions on how she could reset her password and regain control of her information. She followed the instructions and logged into her account and found—absolutely nothing. 4+ gigabytes of messages were gone.

All the notes, interviews, recollections, and attached photos from our years of traveling through China. All the correspondence with and about her father in the last years of his life. The planning for our sons’ weddings; the exchanges she’d had with subjects, editors, and readers of her recent book; the accounting information for her projects; the travel arrangements and appointments she had for tomorrow and next week and next month; much of the incidental-expense data for the income-tax return I was about to file—all of this had been erased. It had not just been put in the “Trash” folder but permanently deleted.

The real problem: it's all gone!

When Deb sent in a “My e‑mail is missing” form, she received an automated response saying, almost all of her of 4+ gigabytes of her life were “unfortunately are not recoverable” and recommended she take steps to strengthen her email security. This was followed by the chilling final line, “We unfortunately will not be able to respond to any further emails on this case. “

Over and out.

For most normal citizens, that would be the end of story. The stuff of Deb’s life has gone forever.

As it happens, Deb was married to James Fallows, a national correspondent for The Atlantic, with friends who worked in Google. He was able to use his connections to harass Google to make the additional effort to retrieve her lost “life”.

The scale of the nightmare

At Google, James Fallows discovered that such attacks occur several thousand times a day.

Why are so many people vulnerable? As in the great majority of hacking cases, Deb had been using the same password for her Gmail account as for some other, less secure sites, where her username was her Gmail address. After all, who hasn’t done this? And one way or another, a list of e‑mail addresses and associated passwords from one of those sites had made its way to hackers.

It’s also possible, Fallows thinks, that Deb’s password was simply “guessed,” by a “brute-force attack,” in which a hacker’s computer tries every word or combination of words in existence, in a variety of languages, to see if it finds a match. As a result, if a password can be found in a dictionary, that password is not safe. Deb’s password was judged as “strong” when she first chose it for use with Gmail. But it was a combination of two short English words followed by numbers, so if it didn’t leak from some other site, it might just have been guessed in a brute-force attack. Apparently, systems like Gmail’s, which don’t allow intruders to make millions of random guesses at a password, are still be vulnerable to brute-force attacks.

Fallows has the following suggestions:

If you use Gmail, use Google’s new “two-step verification” system. In practice this means that to log into your account from any place other than your own computer, you have to enter an additional code, from Google, shown on your mobile phone. On your own computer, you enter a code only once every 30 days. This is not an airtight solution, but it can thwart nearly all of the remote attacks that affect Gmail thousands of times a day. Even though the hacker in Lagos has your password, if he doesn’t have your cell phone, he can’t get in.

Get a stronger password. The problem is, the stronger the password, the less likely you are to remember it. Thus the Post-it notes with passwords, on monitor screens or in desk drawers. Fallows suggests a middle ground, of passwords strong enough to create problems for hackers and still simple enough to be manageable.

Choose a long, familiar-to-you sequence of ordinary words, with spaces between them as in an ordinary sentence, which more and more sites now allow. “Lake Winnebago is deep and chilly,”

Choose a shorter sequence of words that are not “real” English words. I once lived in a Ghanaian village called Assin Fosu. I can remember its name easily, but it would be hard to guess. Even harder if I added numbers or characters.

Choose a truly obscure, gibberish password—“V*!amYEg5M5!3R” is one I generated just now with the LastPass system. Having it written down in your wallet is one, though the paper it’s on shouldn’t say “Passwords” at the top. Or one can online managers like LastPass or RoboForm. Even if their corporate sites were hacked, that wouldn’t reveal all your passwords, since the programs work by storing part of the encoding information in the cloud and part on your own machine.

Use different passwords. Not hundreds of different ones, for the hundreds of different places that require logins of some kind. The guide should be: any site that matters needs its own password—one you don’t currently use for any other site, and that you have never used anywhere else.

Back up your email

The additional precaution that Fallows doesn't emphasize enough in his article is: don't rely on any of these password reinforcement schemes. No password is completely safe. Don't keep your eggs in one basket. Don't rely on Google. If you have anything significant in your Gmail files (and who doesn't?), back it up somewhere else!

Fallows mentions in passing the possibility of backups via programs like Eudora, Thunderbird, SugarSync and Dropbox. A useful article that reviews five different ways to back up your Gmail is available from Business Insider here.

Fallows concludes his terrifying article: “As with so many other challenges in modern life, responding with panic or zealotry doesn’t get us anywhere. But a few simple self-protective steps can save a lot of heartache later on.”

There. You have been alerted to the heaven that is modern technology when it works, and the hell that it is when it doesn’t.

To learn more about radical management, join the webinar on Thursday October 20 at noon ET. This webinar is the fifth and final session of the Jossey-Bass online conference series, in which the authors of all four books will have a round-table discussion. To register, gohere and use discount code JBMSD.